You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@syncope.apache.org by co...@apache.org on 2019/10/11 10:45:19 UTC

[syncope] branch master updated: Disallow Doctypes for SAXParserFactory

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/syncope.git


The following commit(s) were added to refs/heads/master by this push:
     new a7a3009  Disallow Doctypes for SAXParserFactory
     new 16fb995  Merge pull request #129 from coheigea/doctypes
a7a3009 is described below

commit a7a3009a5002f6e72fe5d19eb99382c28f374799
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Oct 11 11:35:34 2019 +0100

    Disallow Doctypes for SAXParserFactory
---
 .../apache/syncope/core/persistence/jpa/content/XMLContentLoader.java    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/XMLContentLoader.java b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/XMLContentLoader.java
index db95a6a..9c1b502 100644
--- a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/XMLContentLoader.java
+++ b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/XMLContentLoader.java
@@ -112,6 +112,7 @@ public class XMLContentLoader implements ContentLoader {
 
         SAXParserFactory factory = SAXParserFactory.newInstance();
         factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         try (contentXML) {
             SAXParser parser = factory.newSAXParser();
             parser.parse(contentXML, new ContentLoaderHandler(dataSource, ROOT_ELEMENT, true, env));